| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4B45EF7C.5020101@p8x.net> Date: Thu, 07 Jan 2010 22:28:12 +0800 From: p8x <l@....net> To: full-disclosure@...ts.grok.org.uk Subject: Re: iiscan results Hi Jan, I am not sure what you mean. Maybe I should clarify, I used some bash magic to make it a bit easier to read the results from my log file. Here is a copy of the log pre me making it easy to read: http://pastebin.com/m512018cb If you read the above log file you will be able to see the duplicate requests, as an example these two time stamps are have the same request: [07/Jan/2010:09:25:32 +0800] [07/Jan/2010:09:25:36 +0800] I did the test twice, so the results in my previous post that were requested twice can be ignored. p8x On 7/01/2010 10:08 PM, Jan G.B. wrote: > What you see is not an issue or error. It is, what the application is > supposed to do. > > * As you can see, these requests are not the same. > * Thinking about muiltiple POST requests on WP-Login or your "logs" > below, you could have guessed in the first place that the app is either > trying multiple Login/Passwort combinations or (as seen below) some > patterns to detect Injection possibilities. > > Regards > > 2010/1/7 p8x <l@....net <mailto:l@....net>> > > Hi Vincent, > > I also experied the same issue as mrx. I did see multiple get and post > requests to the same page. > > As an example, I took a random page with a form on it, here are the > totals: > > 2 /password.html > 2 /password.html?key=88888&form_validated=12345&submit_form=88888 > 2 /password.html?key=88888&form_validated=12345&submit_form=88888' > 2 > /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6 > 2 > /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6 > 2 > /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?key=88888&submit_form=88888&form_validated=12345 > 2 /password.html?key=88888&submit_form=88888&form_validated=12345' > 2 > /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6 > 2 > /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6 > 2 > /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?submit_form=88888&form_validated=12345&key=88888 > 2 /password.html?submit_form=88888&form_validated=12345&key=88888' > 2 > /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6 > 2 > /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6 > 2 > /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'=' > 4 > /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5 > 4 > /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5 > 4 > /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'=' > 4 > /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5 > 4 > /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5 > 4 > /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'=' > 4 > /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5 > 4 > /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5 > 4 > /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'=' > > Also, the contact forms on the websites I tested got hammered with > emails (and they also seemed to have duplicate requests). > > p8x > > On 7/01/2010 8:00 PM, mrx wrote: > > Vincent, > > > > Although the actual results of the scan were displayed in English > in the online html report, > > the suggested solutions were in fact in Chinese. > > > > Checking my access logs reveals multiple attempts of the same > attack/probe, for example multiple identical POSTs to the same page: > > > > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST > /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 > (compatible; MSIE 7.0; Windows > > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" > > > > There are around 100 entries identical to the above in my log. I > don't know if this is by design or not but it does seem to be a > little inefficient. > > > > > > I also noticed there were no attempts at information disclosure > via the TRACE method, nor were any attempts made at SQL injection > despite my > > selecting "all" in the scan options. Not that my site is > vulnerable in any way ;-) > > > > Hope this helps > > > > regards > > mrx > > > > > > > > Vincent Chao wrote: > >> Thank you for your analysis. It really helps me. > > > >> And I also found the PDF report mail to us is in Chinese, in the > website of > >> iiScan, however, to see the report of html or PDF format is > English (of > >> course can change to Chinese). > > > >> -----Original Message----- > >> From: full-disclosure-bounces@...ts.grok.org.uk > <mailto:full-disclosure-bounces@...ts.grok.org.uk> > >> [mailto:full-disclosure-bounces@...ts.grok.org.uk > <mailto:full-disclosure-bounces@...ts.grok.org.uk>] On Behalf Of mrx > >> Sent: Wednesday, January 06, 2010 8:45 PM > >> To: full-disclosure@...ts.grok.org.uk > <mailto:full-disclosure@...ts.grok.org.uk> > >> Subject: [Full-disclosure] iiscan results > > > >> Well, this scanner managed to find a couple of low level > vulnerabilities on > >> my site which were missed by both Nikto and Nessus. > > > >> Two directories allowed a directory listing and a test.php file I > created, > >> an information disclosure vulnerability, was also detected. My dumb > >> ass forgot to delete this "test.php" file after I finished > testing the > >> server. > > > >> Possible sensitive directories were also listed, however browsing > to these > >> directories returned 403 errors, blank pages or a wordpress logon > >> prompt, which is what I expected. > > > >> So all in all this scanner seems to do it's job well. At least > for a LAMP > >> server running wordpress > > > >> Of course I have addressed the vulnerabilities reported. > > > >> My command of the Chinese language is limited to zero, so I cannot > >> understand the pdf report emailed to me nor the information > within the web > >> based report. Hopefully the developers will address this language > problem. > > > >> regards > >> mrx > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists